DNS Problem

We have two Windows 2003 servers that function as domain controllers and DNS servers.  For DNS, they log entries for local workstations and point to our ISP for web name resolution.  About a week ago, no client can access www.yahoo.com.  Check with our ISP and they report OK (also changed my DNS settings to their servers on my local workstation and can access yahoo).  From what I understand, flushing the DNS cache on both servers should fix the problem, but I want to know (1) why this should matter if it's pointing out to the ISP for the info anyway and (2) what ramifications are of flushing the cache.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


DNS servers keep a cache of the Domain names that are resolved. If your server has a wrong DNS entry in his cache (every machine has  cache) it will falsly resolve. So the flushdns option will flush the local DNS cache the machine has.

This will ave absolutely no effect on performance or anything else on your servers. You can do this without woorying about anything. The server will start creating a new local cache by resolving the domain names....
munch007Author Commented:
Flushed DNS cache and still cannot get to www.yahoo.com.  Any suggestions, based upon info above?

>>Flushed DNS cache and still cannot get to<<

I allready though that this wasn't going to solve the problem...

If you go to the DNS server, are you able to go to other sites??? Browse the internet?? And what's between your server and the internet??
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

Also, when you reboot the server, this flushes the cache.

The reason this happens at time is that sites such as Yahoo have many Web servers.  If you go to the site, the DNS server will store the IP/DNS name in the cache.  If that specific server from Yahoo goes down, then the entry in the cache is wrong and will give it's clients the wrong information.  So by flushing the cache on the server will allow it to get rid of the wrong information.  
Your DNS settings are incorrect. For an AD domain to work properly, your domain members have to use your internal DNS *only*, and use the root hints or forwarders for external lookups.
The following settings should correct the issue:

*** TCP/IP-Settings ***
* On your first DC/DNS, make sure the only DNS listed in the TCP/IP properties is itself.
* On your second DC, let it point to the first DC as primary, to itself as secondary.
* On your domain members, enter both DCs as primary and secondary DNS.
* Do NOT enter your ISP's DNS server in the TCP/IP settings on any domain member. All DNS resolution needs to be done by your internal DNS servers *only*.

*** DNS Server Settings ***
* Delete the root zone (if present) in your DNS servers' forward lookup zones (the single dot, "."), to enable external lookups.
* Right-click your forward and reverse lookup zones, go to Properties, and make sure that Dynamic Updates are enabled.
* In the properties page of your DNS servers, configure forwarders to point to your ISP's DNS. The forwarders section is the *only* entry in your network where your ISP's DNS should be listed.
* It's recommended (but not necessary) to set your zones to Active Directory integrated (this can be done in the properties of the zones as well).

Once you've checked this, open a command prompt and enter "ipconfig /registerdns", then stop and re-start the netlogon service. Check if the SRV records have been created (see link below).
For further troubleshooting, you can use dcdiag.exe and netdiag.exe to check your system for errors in the domain setup.

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003

HOW TO: Configure DNS for Internet Access in Windows Server 2003

HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003

How to Verify the Creation of SRV Records for a Domain Controller

How Domain Controllers Are Located in Windows

How Domain Controllers Are Located in Windows XP

SRV Resource Records May Not Be Created on Domain Controller
munch007Author Commented:
I can browse to any website (as far as I can tell) on the DNS server, clients, etc.  Cisco PIX firewall is between DNS server and internet.
munch007Author Commented:
Checked all settings mentioned by oBdA.  All are correct, ISP's servers only appear on the forwarders tab.  I just temp changed my local DNS to my ISP to test.
how do they connect to www.yahoo.com ? NAT/Routed/Proxy?
what was the error messages, when not reaching www.yahoo.com?
munch007Author Commented:
A user's internet permission is granted thru our firewall...once I permit the IP in the firewall they can connect.  We also have a proxy server, but users cannot connect to yahoo thru it either.  Error is "cannot find yahoo.com"  Cannot ping the site either.
btw, for caching reasons, one dns should forward to the second. only the second should forward to internet.
no one of your dns servers has a "." zone?
did you update the root hints file sometimes?
which dns servers are your dc's using?

There seems to be a compatability problem with Windows Server 2003 and PIX firewalls that could cause these kind of conclifts.. Try looking ath this other thread, it might help


I will paste the anser to that question here... It a copy from another post (just as a small reminder)..

This is a known compatibility problem between Windows Server 2003's DNS and some firewalls, usually PIX.

See the following articles for details:


Hope that helps!!


Specially the second link is interesting.... Hope it helps..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
munch007Author Commented:
So it did solve your problem??? Glad to here..
munch007Author Commented:
Worked like a champ!  I appreciate the help
Ur welcome...
Thanks so much for this solution!!!! It solved my problem too. I was having trouble with people getting to sites like CNN.com and Ebay.com, and  it was just driving me mad and causing me to question everything I knew about setting up DNS. Thanks again! Here is also another link that has a solution about how to tell Windows 2003 to use a 512-byte UDP packet without totally disabling all the EDNS0 features.


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.